Firewall not detecting obvious hacking

Basildane · January 3, 2019, 1:40pm

Here is a common example:

[2019-01-02 22:19:40] SECURITY[13452] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-01-02T22:19:40.659-0500",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="dFh7t2Rb2Rz7g4UY3VZCVQ..",LocalAddress="IPV4/TLS/10.0.10.15/5061",RemoteAddress="IPV4/TLS/46.166.151.160/50145",ACLName="registrar_attempt_without_configured_aors"

The problem appears to be that /etc/fail2ban/filter.d/asterisk.conf is missing the TLS selector in both the LocalAddress and RemoteAddress.

^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS|WSS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS|WSS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

ngingras · January 3, 2019, 2:20pm

Seems like an easy fix. Have you already created a bug report?

http://issues.freepbx.org/

Basildane · January 3, 2019, 2:40pm

did now.

BlazeStudios · January 3, 2019, 2:48pm

This is in no way a Firewall issue. Fail2ban is not the Firewall. They are two completely different things.

This was a block due to it being anonymous that has nothing to do with it being TLS or not TLS. As well fail2ban will only block things once they have done X in Y time. It is not a firewall in a preventive manner. It waits for something bad to happen and then it does stuff.

The actually System Firewall would be a completely different beast and it is Deny All by default. Are you running the System Firewall?

Basildane · January 7, 2019, 1:02pm

I think you misunderstand, there was NO block. That’s the problem. And I updated the fail2ban rule myself to detect TLS and it works. Yes the firewall is enabled.

My expectation is that a security event like this will trigger a ban on that ip address. That works now that I added the TLS selector to the rule.

system · January 14, 2019, 1:02pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.